On Black Friday in 2013, millions of consumers shopped at retailers that had been breached by point-of-sale (POS) malware. A year later, has anything changed?
Target admitted in December 2013 that it was breached between Nov. 27 and Dec. 15 of that year in an incident in which 70 million customers were impacted. The breach also cost Target $148 million in expenses and took the jobs of Target’s CIO and CEO.
As it turns out, the Target breach was only the leading edge of an avalanche of retail breaches that were disclosed in 2014. Grocery chain SuperValu, UPS, Michaels, Dairy Queen, Goodwill, Staples and Home Depot are among the retailers that admitted being breached during the year.
Surprisingly, while the Target breach was reported last December and was the subject of intense scrutiny and discussion in the first half of this year, lessons learned from that incident apparently were not enough to stem the tide.
Home Depot, for example, reported its breach in September, with the actual attack lasting from April to September. That means that Home Depot’s systems were breached long after Target’s disclosure and long after the retailer should have been able to discern lessons and best practices from that incident.
With Home Depot, the retailer has admitted that a third-party vendor’s username and password were compromised. That credential compromise was then leveraged by the attacker to gain access to the Home Depot network. Once inside, a privilege escalation flaw was exploited, giving the attacker broader access. With that access, some form of POS malware was deployed, which is how the customer information was stolen.
The problem with the Home Depot breach scenario is that it is likely the same as what happened at Target. It is also likely the same scenario that has played out at other retailers as well, including some that consumers will shop at on Black Friday.
While this has been a year of disclosures and discussion about retail breaches, the simple truth is this: Little has changed. POS malware is still widely deployed, with the Backoff POS malware alone infecting a thousand retailers, according to the U.S. Secret Service.
Going a step further, privilege escalation vulnerabilities, which in my view are at the root of many retail breaches, remain difficult to deal with. Case in point, it was just last week that Microsoft warned that a complete fix of a potentially compromised domain requires the organization to completely rebuild its domain. Given the proximity to Black Friday and the complexity of rebuilding domains, I suspect that not all retailers that run Windows have actually heeded Microsoft’s advice.
While there are likely still privilege escalation risks present in some retailer networks and there are also likely still many undetected POS infections, not all is lost.
While the risk of retailer breaches on Black Friday is still present, there is much reason for optimism too.
Thanks to the Target breach and those like it, there has been heightened awareness among law enforcement and credit card issuers. While as yet unknown breaches and POS malware might well be lurking on Black Friday retailer systems, the “good guys” are watching for bad things.
Don’t Panic Over Black Friday Security Despite Rash of Retail Breaches
Just because POS malware is present and an attacker has access to a network doesn’t mean that consumers will lose any money. Ongoing monitoring of networks for suspicious activities can potentially detect a post-breach action, where an attacker attempts to take data out of a network.
Also, there is little incentive for an attacker to steal a single credit card; rather, the only way an attacker can make money is by stealing many cards. When the attackers (known sometimes as “carders”) try to sell the credit cards in hacker forums, law enforcement is often watching.
Additionally, though there have been many retail breaches over the course of the last year, consumers are typically not liable for any of the losses or fraud. That is to say, even if a consumer’s credit card is part of a breach, there is no financial loss for that individual.
That said, there are some basic consumer best practices that should be considered this Black Friday.
1. Keep all receipts: In the event there is a dispute, having a receipt can be helpful.
2. Check all statements: While credit card issuers are vigilant about looking for fraud, consumers also have a responsibility to make sure charges are accurate.
3. Use multiple cards: In the event there is fraud, one of the actions a credit card issuer may take is to block a card. If you have multiple cards and one is compromised, having another credit card will enable you to shop at another (hopefully uncompromised) retailer.
The bottom line is that risk is present and always has been in retail. In the pre-digital processing age, carbon receipts were a risk that could have enabled fraud. Even just ordering a pizza on the phone and giving your credit card number could be a path to fraud.
Vigilance has always been key to consumer safety with credit cards, and vigilance remains the watchword for Black Friday 2014 as well.
Simply stated: Don’t panic.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.